1PKCSTOK_MIGRATE(1)               openCryptoki               PKCSTOK_MIGRATE(1)
2
3
4

NAME

6       pkcstok_migrate  -  utility to migrate an ICA, CCA, Soft, or EP11 token
7       repository to the FIPS compliant format  introduced  with  openCryptoki
8       3.12.
9
10

SYNOPSIS

12       pkcstok_migrate [-h]
13       pkcstok_migrate  --slotid  slot-number  --datastore datastore --confdir
14       confdir [--sopin sopin] [--userpin userpin] [--verbose level]
15
16

DESCRIPTION

18       Convert all objects inside a token repository to the new format  intro‐
19       duced  with  version 3.12.  All encrypted data inside the new format is
20       stored using FIPS compliant methods. The new format affects the token's
21       master  key files (MK_SO and MK_USER), the NVTOK.DAT, and the token ob‐
22       ject files in the TOK_OBJ folder.
23
24       While using this tool no process using the token to be migrated must be
25       running.   Especially the pkcsslotd must be stopped before running this
26       tool.
27
28       The tool creates a backup of the token repository to be  migrated,  and
29       performs  all  migration  actions  on this backup, leaving the original
30       repository folder completely untouched. The backup folder is located in
31       the  same  directory  as  the  original repository and is suffixed with
32       _PKCSTOK_MIGRATE_TMP.
33
34       After a successful migration, the original repository is renamed with a
35       suffix of _BAK and the backup folder is renamed to the original reposi‐
36       tory name, so that the migrated repository can immediately be used. The
37       old folder may be deleted by the user manually later.
38
39       After  a  successful  migration,  the tool adds parameter 'tokversion =
40       3.12' to the token's slot configuration in the opencryptoki.conf  file.
41       The  original  config  file is still available as opencryptoki.conf_BAK
42       and may be removed by the user manually.
43
44       After an unsuccessful  migration,  the  original  repository  is  still
45       available unchanged.
46
47

OPTIONS SUMMARY

49       --slotid -s SLOT-NUMBER
50                 specifies the token slot number of the token repository to be
51                 migrated
52
53       --datastore -d DATASTORE
54                 specifies the directory of the token  repository  to  be  mi‐
55                 grated.
56
57       --confdir -c CONFDIR
58                 specifies  the  directory where the opencryptoki.conf file is
59                 located.
60
61       --sopin -p SOPIN
62                 specifies the SO  pin.  If  not  specified,  the  SO  pin  is
63                 prompted.
64
65       --userpin -u USERPIN
66                 specifies  the  user  pin.  If not specified, the user pin is
67                 prompted.
68
69       --verbose -v LEVEL
70                 specifies the verbose level: none, error, warn, info,  devel,
71                 debug
72
73       --help -h show usage information
74
75

SEE ALSO

77       pkcsconf(1),
78       opencryptoki(7),
79       pkcsslotd(8).
80
81
82
833.16.0                             June 2020                PKCSTOK_MIGRATE(1)
Impressum